Описание
An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie.
Ссылки
- ExploitTechnical DescriptionThird Party Advisory
- Vendor Advisory
- ExploitTechnical DescriptionThird Party Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 3.5.4 (включая)
Одновременно
cpe:2.3:o:inhandnetworks:ir302_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:inhandnetworks:ir302:-:*:*:*:*:*:*:*
EPSS
Процентиль: 54%
0.00312
Низкий
7.5 High
CVSS3
6.1 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-1004
CWE-732
Связанные уязвимости
CVSS3: 6.1
github
больше 3 лет назад
An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie.
EPSS
Процентиль: 54%
0.00312
Низкий
7.5 High
CVSS3
6.1 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-1004
CWE-732